sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-05 21:57:51 +03:00
Code
samba-mirror/source3/nsswitch/pam_winbind.h
Günther Deschner 9684e353a1 r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user 
changed a password via pam_chauthtok. Only do this if

a) a user logs on using an expired password (or a password that needs to
be changed immediately) or

b) the user itself changes his password.

Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).

Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).

Guenther
(This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10 12:18:08 -05:00

190 lines
5.4 KiB
C
Raw Blame History

/* pam_winbind header file
(Solaris needs some macros from Linux for common PAM code)
Shirish Kalele 2000
*/
#include "lib/replace/replace.h"
#include "system/syslog.h"
#include "system/time.h"
#define MODULE_NAME "pam_winbind"
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
#ifndef PAM_WINBIND_CONFIG_FILE
#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
#endif
#include <iniparser.h>
#ifndef LINUX
/* Solaris always uses dynamic pam modules */
#define PAM_EXTERN extern
#include <security/pam_appl.h>
#ifndef PAM_AUTHTOK_RECOVER_ERR
#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
#endif
#endif /* defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) */
#ifdef HAVE_SECURITY_PAM_MODULES_H
#include <security/pam_modules.h>
#endif
#ifdef HAVE_SECURITY__PAM_MACROS_H
#include <security/_pam_macros.h>
#else
/* Define required macros from (Linux PAM 0.68) security/_pam_macros.h */
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
do { \
int reply_i; \
\
for (reply_i=0; reply_i<replies; ++reply_i) { \
if (reply[reply_i].resp) { \
_pam_overwrite(reply[reply_i].resp); \
free(reply[reply_i].resp); \
} \
} \
if (reply) \
free(reply); \
} while (0)
#define _pam_overwrite(x) \
do { \
register char *__xx__; \
if ((__xx__=(x))) \
while (*__xx__) \
*__xx__++ = '\0'; \
} while (0)
/*
* Don't just free it, forget it too.
*/
#define _pam_drop(X) SAFE_FREE(X)
#define x_strdup(s) ( (s) ? strdup(s):NULL )
#endif /* HAVE_SECURITY__PAM_MACROS_H */
#ifdef HAVE_SECURITY_PAM_EXT_H
#include <security/pam_ext.h>
#endif
#define WINBIND_DEBUG_ARG (1<<0)
#define WINBIND_USE_AUTHTOK_ARG (1<<1)
#define WINBIND_UNKNOWN_OK_ARG (1<<2)
#define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
#define WINBIND_USE_FIRST_PASS_ARG (1<<4)
#define WINBIND__OLD_PASSWORD (1<<5)
#define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
#define WINBIND_KRB5_AUTH (1<<7)
#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
#define WINBIND_CACHED_LOGIN (1<<9)
#define WINBIND_CONFIG_FILE (1<<10)
#define WINBIND_SILENT (1<<11)
#define WINBIND_DEBUG_STATE (1<<12)
/*
* here is the string to inform the user that the new passwords they
* typed were not the same.
*/
#define MISTYPED_PASS "Sorry, passwords do not match"
#define on(x, y) (x & y)
#define off(x, y) (!(x & y))
#define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD"
#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH"
#define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR"
#define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT"
#define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER"
#define PAM_WINBIND_PROFILEPATH "PAM_WINBIND_PROFILEPATH"
#define PAM_WINBIND_PWD_LAST_SET "PAM_WINBIND_PWD_LAST_SET"
#define SECONDS_PER_DAY 86400
#define DAYS_TO_WARN_BEFORE_PWD_EXPIRES 5
#include "winbind_client.h"
#define PAM_WB_REMARK_DIRECT(h,f,x)\
{\
const char *error_string = NULL; \
error_string = _get_ntstatus_error_string(x);\
if (error_string != NULL) {\
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
} else {\
_make_remark(h, f, PAM_ERROR_MSG, x);\
};\
};
#define PAM_WB_REMARK_DIRECT_RET(h,f,x)\
{\
const char *error_string = NULL; \
error_string = _get_ntstatus_error_string(x);\
if (error_string != NULL) {\
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
return ret;\
};\
_make_remark(h, f, PAM_ERROR_MSG, x);\
return ret;\
};
#define PAM_WB_REMARK_CHECK_RESPONSE(h,f,x,y)\
{\
const char *ntstatus = x.data.auth.nt_status_string; \
const char *error_string = NULL; \
if (!strcasecmp(ntstatus,y)) {\
error_string = _get_ntstatus_error_string(y);\
if (error_string != NULL) {\
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
};\
if (x.data.auth.error_string[0] != '\0') {\
_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
};\
_make_remark(h, f, PAM_ERROR_MSG, y);\
};\
};
#define PAM_WB_REMARK_CHECK_RESPONSE_RET(h,f,x,y)\
{\
const char *ntstatus = x.data.auth.nt_status_string; \
const char *error_string = NULL; \
if (!strcasecmp(ntstatus,y)) {\
error_string = _get_ntstatus_error_string(y);\
if (error_string != NULL) {\
_make_remark(h, f, PAM_ERROR_MSG, error_string);\
return ret;\
};\
if (x.data.auth.error_string[0] != '\0') {\
_make_remark(h, f, PAM_ERROR_MSG, x.data.auth.error_string);\
return ret;\
};\
_make_remark(h, f, PAM_ERROR_MSG, y);\
return ret;\
};\
};
/* from include/rpc_samr.h */
#define DOMAIN_PASSWORD_COMPLEX 0x00000001
#define REJECT_REASON_OTHER 0x00000000
#define REJECT_REASON_TOO_SHORT 0x00000001
#define REJECT_REASON_IN_HISTORY 0x00000002
#define REJECT_REASON_NOT_COMPLEX 0x00000005
/* from include/smb.h */
#define ACB_PWNOEXP 0x00000200
/* from include/rpc_netlogon.h */
#define LOGON_CACHED_ACCOUNT 0x00000004
#define LOGON_GRACE_LOGON 0x01000000
#define PAM_WB_CACHED_LOGON(x) (x & LOGON_CACHED_ACCOUNT)
#define PAM_WB_GRACE_LOGON(x) ((LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON) == ( x & (LOGON_CACHED_ACCOUNT|LOGON_GRACE_LOGON)))
View Git Blame Copy Permalink